Lesi sihloko sisaqhubeka okunikezelwe kumininingwane yokusetha imishini Ama-Palo Alto Networks . Lapha sifuna ukukhuluma ngokusetha IPSec Site-to-Site VPN kumishini Ama-Palo Alto Networks futhi mayelana nenketho yokumisa engaba khona yokuxhuma abahlinzeki be-inthanethi abambalwa.
Ukuze kube nomboniso, kuzosetshenziswa uhlelo olujwayelekile lokuxhumanisa inhloko-hhovisi negatsha. Ukuze kuhlinzekwe ngoxhumano lwe-inthanethi olubekezelela iphutha, ihhovisi elikhulu lisebenzisa ukuxhumeka ngesikhathi esisodwa kwabahlinzeki ababili: I-ISP-1 ne-ISP-2. Igatsha linokuxhumana nomhlinzeki oyedwa kuphela, i-ISP-3. Imigudu emibili yakhiwe phakathi kwama-firewall PA-1 kanye ne-PA-2. Imigudu isebenza kumodi I-Active-Standby,Umhubhe-1 uyasebenza, Umhubhe-2 uzoqala ukudlulisa ithrafikhi lapho Umhubhe-1 wehluleka. I-Tunnel-1 isebenzisa uxhumano ku-ISP-1, iTunnel-2 isebenzisa uxhumano ku-ISP-2. Wonke amakheli e-IP akhiqizwa ngokungahleliwe ngezinjongo zokubonisa futhi awahlobene neqiniso.
Ukwakha i-Site-to-Site VPN izosetshenziswa IPsec β isethi yemithetho yokuqinisekisa ukuvikelwa kwedatha edluliswa nge-IP. IPsec izosebenza kusetshenziswa iphrothokholi yokuvikela ESP (I-Encapsulating Security Payload), ezoqinisekisa ukubethelwa kwedatha edlulisiwe.
Π IPsec ifakiwe IKE (I-Internet Key Exchange) iphrothokholi enesibopho sokuxoxisana ne-SA (izinhlangano zokuphepha), imingcele yezokuphepha esetshenziselwa ukuvikela idatha edlulisiwe. I-PAN firewalls isekela IKEv1 ΠΈ IKEv2.
Π IKEv1 Uxhumano lwe-VPN lwakhiwe ngezigaba ezimbili: I-IKEv1 Isigaba 1 (IKE umhubhe) kanye I-IKEv1 Isigaba 2 (Umhubhe we-IPSec), ngakho-ke, kwakhiwa imigudu emibili, eyodwa esetshenziselwa ukushintshaniswa kolwazi lwesevisi phakathi kwama-firewall, okwesibili ukudluliswa kwethrafikhi. IN I-IKEv1 Isigaba 1 Kunezindlela ezimbili zokusebenza - imodi eyinhloko nemodi enolaka. Imodi enolaka isebenzisa imilayezo embalwa futhi iyashesha, kodwa ayisekeli Ukuvikelwa Kobunikazi Bontanga.
IKEv2 kufakwe esikhundleni IKEv1, futhi uma kuqhathaniswa IKEv1 inzuzo yawo enkulu izidingo zomkhawulokudonsa ophansi kanye nezingxoxo ze-SA ezisheshayo. IN IKEv2 Imiyalezo yesevisi embalwa isetshenzisiwe (i-4 isiyonke), izivumelwano ze-EAP ne-MOBIKE ziyasekelwa, futhi kufakwe indlela yokuhlola ukutholakala kontanga okwakhiwa ngayo umhubhe - Ukuhlola Ukuphila, esikhundleni sokutholwa Kontanga Abafile ku-IKEv1. Uma isheke lihluleka, ke IKEv2 ingasetha kabusha umhubhe bese iwubuyisela ngokuzenzakalelayo ngesikhathi sokuqala. Ungafunda kabanzi mayelana nokwehluka .
Uma umhubhe wakhiwe phakathi kwama-firewall avela kubakhiqizi abahlukene, kungase kube nezimbungulu ekusetshenzisweni IKEv2, futhi ukuhambisana nemishini enjalo kungenzeka ukuyisebenzisa IKEv1. Kwezinye izimo, kungcono ukusebenzisa IKEv2.
Izinyathelo zokusetha:
β’ Ilungiselela abahlinzeki be-inthanethi ababili kumodi ye-ActiveStandby
Kunezindlela eziningana zokwenza lo msebenzi. Enye yazo ukusebenzisa umshini Ukuqapha Indlela, eyatholakala kusukela kunguqulo I-PAN-OS 8.0.0. Lesi sibonelo sisebenzisa inguqulo 8.0.16. Lesi sici sifana ne-IP SLA kumarutha eCisco. Ipharamitha yomzila omisiwe omile ilungiselela ukuthumela amaphakethe e-ping ekhelini elithile le-IP ukusuka ekhelini elithile lomthombo. Kulokhu, isixhumi esibonakalayo se-ethernet1/1 sicindezela isango elizenzakalelayo kanye ngomzuzwana. Uma kungekho mpendulo kuma-pings amathathu ngokulandelana, umzila uthathwa njengephukile futhi ususiwe kuthebula lomzila. Umzila ofanayo ulungiselelwa kumhlinzeki wesibili we-inthanethi, kodwa ngemethrikhi ephezulu (iyisipele). Uma umzila wokuqala usukhishiwe etafuleni, i-firewall izoqala ukuthumela ithrafikhi ngomzila wesibili β I-Fail-Over. Uma umhlinzeki wokuqala eqala ukuphendula kuma-ping, umzila wakhe uzobuyela etafuleni bese ushintsha owesibili ngenxa yemethrikhi engcono - I-Fail-Back. Inqubo I-Fail-Over kuthatha imizuzwana embalwa kuye ngezikhawu ezimisiwe, kodwa, kunoma yikuphi, le nqubo ayisheshi, futhi phakathi nalesi sikhathi ithrafikhi iyalahleka. I-Fail-Back idlula ngaphandle kokulahlekelwa isiminyaminya. Kukhona ithuba lokwenza I-Fail-Over ngokushesha, nge I-BFD, uma umhlinzeki we-inthanethi enikeza ithuba elinjalo. I-BFD kusekelwa kusukela kumodeli Uchungechunge lwe-PA-3000 ΠΈ I-VM-100. Kungcono ukungacacisi isango lomhlinzeki njengekheli le-ping, kodwa ikheli le-inthanethi elitholakalayo elisesidlangalaleni.
β’ Ukudala isixhumi esibonakalayo somhubhe
Ithrafikhi engaphakathi emhubheni idluliswa ngezindawo ezikhethekile ezibonakalayo. Ngayinye yazo kufanele ilungiswe ngekheli le-IP elisuka kunethiwekhi yezokuthutha. Kulesi sibonelo, isiteshi esincane esingu-1/172.16.1.0 sizosetshenziselwa i-Tunnel-30, kanti isiteshi esincane esingu-2/172.16.2.0 sizosetshenziselwa i-Tunnel-30.
Isixhumi esibonakalayo somhubhe senziwa esigabeni Inethiwekhi -> Izixhumi ezibonakalayo -> Umhubhe. Kufanele ucacise irutha ebonakalayo nendawo yokuphepha, kanye nekheli le-IP elivela kunethiwekhi yezokuthutha ehambisanayo. Inombolo yesixhumi esibonakalayo ingaba yinoma yini.
Esigabeni Advanced kungashiwo Iphrofayili Yokuphathaokuzovumela i-ping kusixhumi esibonakalayo esinikeziwe, lokhu kungase kube usizo ekuhloleni.
β’ Ukusetha iphrofayela ye-IKE
Iphrofayili ye-IKE unesibopho sesigaba sokuqala sokudala uxhumano lwe-VPN; imingcele yomhubhe icaciswe lapha Isigaba 1 se-IKE. Iphrofayili idalwe esigabeni Inethiwekhi -> Amaphrofayili Enethiwekhi -> I-IKE Crypto. Kuyadingeka ukucacisa i-algorithm yokubethela, i-hashing algorithm, iqembu le-Diffie-Hellman kanye nesikhathi sokuphila esibalulekile. Ngokuvamile, uma ama-algorithms eyinkimbinkimbi, ukusebenza kubi kakhulu; kufanele akhethwe ngokusekelwe kuzidingo ezithile zokuphepha. Kodwa-ke, akunconyiwe ngokuphelele ukusebenzisa iqembu le-Diffie-Hellman elingaphansi kwe-14 ukuvikela imininingwane ebucayi. Lokhu kungenxa yokuba sengcupheni kwephrothokholi, engancishiswa kuphela ngokusebenzisa amamojula amabhithi angu-2048 nangaphezulu, noma ama-algorithms we-elliptic cryptography, asetshenziswa emaqenjini 19, 20, 21, 24. Lawa ma-algorithms anokusebenza okukhulu uma kuqhathaniswa i-cryptography yendabuko. ... KANYE .
β’ Ukusetha IPSec Profile
Isigaba sesibili sokudala uxhumano lwe-VPN wumhubhe we-IPSec. Imingcele ye-SA yayo icushwe ngaphakathi Inethiwekhi -> Amaphrofayili Enethiwekhi -> IPSec Crypto Profile. Lapha udinga ukucacisa iphrothokholi ye-IPSec - AH noma ESP, kanye nemingcele SA - ama-algorithms we-hashing, ukubethela, amaqembu e-Diffie-Hellman nesikhathi sokuphila esibalulekile. Amapharamitha we-SA kuphrofayela ye-IKE Crypto kanye ne-IPSec Crypto Profile angase angafani.
β’ Ilungiselela i-IKE Gateway
I-IKE Gateway - lena into eqoka irutha noma i-firewall okwakhiwa ngayo umhubhe we-VPN. Kumhubhe ngamunye udinga ukwakha owakho I-IKE Gateway. Kulokhu, imigudu emibili yenziwa, eyodwa ngomhlinzeki ngamunye we-inthanethi. I-interface ephumayo ehambisanayo nekheli layo le-IP, ikheli le-IP lontanga, nokhiye okwabelwana ngawo kuyakhonjiswa. Izitifiketi zingasetshenziswa njengenye indlela yokhiye owabiwe.
Eyakhiwe ngaphambilini ikhonjisiwe lapha Iphrofayili ye-IKE Crypto. Amapharamitha ento yesibili I-IKE Gateway okufanayo, ngaphandle kwamakheli e-IP. Uma i-firewall ye-Palo Alto Networks itholakala ngemuva kwerutha ye-NAT, udinga ukunika amandla umshini Ukuhamba kwe-NAT.
β’ Isetha i-IPSec Tunnel
IPSec Umhubhe into ecacisa amapharamitha womhubhe we-IPSec, njengoba igama liphakamisa. Lapha udinga ukucacisa isixhumi esibonakalayo somhubhe nezinto ezidalwe ngaphambilini I-IKE Gateway, IPSec Crypto Profile. Ukuqinisekisa ukushintsha okuzenzakalelayo komzila emhubheni oyisipele, kufanele uvule I-Tunnel Monitor. Lena indlela ehlola ukuthi ontanga bayaphila kusetshenziswa ithrafikhi ye-ICMP. Njengekheli okuyiwa kulo, udinga ukucacisa ikheli lasesizindeni se-inthanethi le-interface yomhubhe kontanga okwakhiwa ngayo umhubhe. Iphrofayela icacisa izikhathi nokuthi yini okufanele uyenze uma uxhumano lulahlekile. Linda Ukubuyisela - linda kuze kubuyiselwe uxhumano, Yehlulekile β thumela ithrafikhi ngomzila ohlukile, uma ukhona. Ukusetha umhubhe wesibili kufana ngokuphelele; isixhumi esibonakalayo sesibili somhubhe kanye ne-IKE Gateway kucacisiwe.
β’ Ukusetha umzila
Lesi sibonelo sisebenzisa umzila omile. Ku-firewall ye-PA-1, ngaphezu kwemizila emibili ezenzakalelayo, udinga ukucacisa imizila emibili eya ku-subnet 10.10.10.0/24 egatsheni. Umzila owodwa usebenzisa i-Tunnel-1, enye i-Tunnel-2. Umzila odlula ku-Tunnel-1 iwona oyinhloko ngoba unemethrikhi ephansi. Indlela Ukuqapha Indlela ayisetshenziselwa le mizila. Unomthwalo wemfanelo wokushintsha I-Tunnel Monitor.
Imizila efanayo ye-subnet 192.168.30.0/24 idinga ukumiswa ku-PA-2.
β’ Ukusetha imithetho yenethiwekhi
Ukuze umhubhe usebenze, imithetho emithathu iyadingeka:
- Ukusebenza I-Path Monitor Vumela i-ICMP kuzixhumi ezibonakalayo zangaphandle.
- Ukuze IPsec vumela izinhlelo zokusebenza ike ΠΈ ipsec ezindaweni zangaphandle.
- Vumela ithrafikhi phakathi kwama-subnet angaphakathi nezixhumi ezibonakalayo zomhubhe.
isiphetho
Lesi sihloko sidingida inketho yokusetha uxhumano lwe-inthanethi olubekezelela iphutha futhi I-VPN yesayithi-ngendawo. Sithemba ukuthi ulwazi beluwusizo futhi umfundi uthole umqondo wobuchwepheshe obusetshenziswe ku Ama-Palo Alto Networks. Uma unemibuzo mayelana nokusetha nokusikisela ngezihloko zezihloko ezizayo, zibhale kumazwana, sizokujabulela ukuphendula.
Source: www.habr.com